Windows Firewall is Enabled
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2010-01-13
The Microsoft Exchange Analyzer Tool examines the following registry entry to determine the version of the Windows operating system that is running on a computer:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion
The following table describes the values that can be assigned to the CurrentVersion subkey.
| CurrentVersion value | Windows operating system |
|---|---|
4.0 |
Windows NT Server 4.0 |
5.0 |
Windows 2000 Server |
5.2 |
Windows Server 2003 |
6.0 |
Windows Server 2008 |
Next, Exchange Analyzer queries the Win32_ComputerSystem Windows Management Instrumentation (WMI) class to determine the value of the DomainRole subkey. The following table describes the values that can be assigned to the DomainRole subkey.
| Value | Meaning |
|---|---|
0 |
Stand-alone workstation |
1 |
Member workstation |
2 |
Stand-alone server |
3 |
Member server |
4 |
Backup domain controller |
5 |
Primary domain controller |
Next, Exchange Analyzer reads the following registry entry to determine whether a Windows Firewall policy is installed and enabled on the target server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\<Firewall Profile>\EnableFirewall
The following table describes the profiles that can be assigned to the FirewallPolicy subkey.
| Registry key | Meaning |
|---|---|
StandardProfile |
A set of Windows Firewall settings that are applied when a computer is not connected to a network that contains the domain controllers for the domain in which its computer account resides. |
DomainProfile |
A set of Windows Firewall settings that are applied when a computer is connected to a network that contains the domain controllers for the domain in which its computer account resides. |
PublicProfile |
The public profile is the same as the standard profile, but it applies to versions of the Windows Firewall on Windows operating systems that are later than Windows XP SP2. |
Finally, on Windows Server 2008-based computers, Exchange Analyzer reads the following registry entry to determine whether a Group Policy object is configured to disable the Windows Firewall:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\<Firewall_Profile>\EnableFirewall
A best practices message is displayed if Exchange Analyzer determines that any one of the following four scenarios is true:
The target server is:
Running Windows Server 2003.
Configured as a stand-alone server, a member server, or a domain controller.
Configured with the Windows Firewall standard profile enabled.
The target server is:
Configured as a member server.
Configured with the Windows Firewall domain profile enabled.
The target server is:
Running Windows Server 2008.
Configured as a domain controller.
Configured with the Windows Firewall domain profile enabled.
Not configured with a Group Policy to disable the Windows Firewall.
The target server is:
Running Windows Server 2008.
Configured as a stand-alone server.
Configured with the Windows Firewall public profile enabled
Not configured with a Group Policy to disable the Windows Firewall.
The best practices message means that the Windows Firewall is enabled on the target server. Microsoft does not recommend this configuration as a best practice. When the Windows Firewall is enabled on an Exchange server, it may cause client connection issues to occur. These issues may cause the following or other symptoms:
The Outlook client cannot connect to the server.
Network problems prevent connection to Exchange.
To resolve this warning, stop the Windows Firewall service.
To work around this warning when you must run Windows Firewall
Verify that the correct firewall exceptions have been configured in Windows Firewall if clients cannot connect to the Exchange server.
Manually open ports in Windows Firewall so that Exchange System Manager and Exchange Administrator can run. When you open ports in Windows Firewall, you increase the chance that other programs may gain access to your computer through those ports. Carefully consider your network security requirements before opening ports in Windows Firewall.
Note
You will continue to receive the warning message when you run Exchange Analyzer.
For more information about the ports that are used by Exchange Server, see the "Protecting Exchange Data Paths" section of the "Exchange 2007 Security Guide" (https://go.microsoft.com/fwlink/?LinkID=167345).